]>
Commit | Line | Data |
---|---|---|
e1174c56 AT |
1 | # SPDX-License-Identifier: GPL-2.0+ |
2 | # Copyright (c) 2020, Linaro Limited | |
3 | # Author: AKASHI Takahiro <takahiro.akashi@linaro.org> | |
4 | # | |
5 | # U-Boot UEFI: Image Authentication Test (signature with certificates chain) | |
6 | ||
7 | """ | |
8 | This test verifies image authentication for a signed image which is signed | |
9 | by user certificate and contains additional intermediate certificates in its | |
10 | signature. | |
11 | """ | |
12 | ||
13 | import pytest | |
14 | ||
15 | ||
16 | @pytest.mark.boardspec('sandbox') | |
17 | @pytest.mark.buildconfigspec('efi_secure_boot') | |
18 | @pytest.mark.buildconfigspec('cmd_efidebug') | |
19 | @pytest.mark.buildconfigspec('cmd_fat') | |
20 | @pytest.mark.buildconfigspec('cmd_nvedit_efi') | |
21 | @pytest.mark.slow | |
22 | class TestEfiSignedImageIntca(object): | |
23 | def test_efi_signed_image_intca1(self, u_boot_console, efi_boot_env_intca): | |
24 | """ | |
25 | Test Case 1 - authenticated by root CA in db | |
26 | """ | |
27 | u_boot_console.restart_uboot() | |
28 | disk_img = efi_boot_env_intca | |
29 | with u_boot_console.log.section('Test Case 1a'): | |
30 | # Test Case 1a, with no Int CA and not authenticated by root CA | |
31 | output = u_boot_console.run_command_list([ | |
32 | 'host bind 0 %s' % disk_img, | |
33 | 'fatload host 0:1 4000000 db_c.auth', | |
2b3fbcb5 | 34 | 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', |
e1174c56 | 35 | 'fatload host 0:1 4000000 KEK.auth', |
2b3fbcb5 | 36 | 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', |
e1174c56 | 37 | 'fatload host 0:1 4000000 PK.auth', |
2b3fbcb5 | 38 | 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) |
e1174c56 AT |
39 | assert 'Failed to set EFI variable' not in ''.join(output) |
40 | ||
41 | output = u_boot_console.run_command_list([ | |
ce62b0f8 | 42 | 'efidebug boot add -b 1 HELLO_a host 0:1 /helloworld.efi.signed_a -s ""', |
550862bc | 43 | 'efidebug boot order 1', |
e1174c56 AT |
44 | 'efidebug test bootmgr']) |
45 | assert '\'HELLO_a\' failed' in ''.join(output) | |
566f0673 | 46 | assert 'efi_bootmgr_load() returned: 26' in ''.join(output) |
e1174c56 AT |
47 | |
48 | with u_boot_console.log.section('Test Case 1b'): | |
49 | # Test Case 1b, signed and authenticated by root CA | |
50 | output = u_boot_console.run_command_list([ | |
ce62b0f8 | 51 | 'efidebug boot add -b 2 HELLO_ab host 0:1 /helloworld.efi.signed_ab -s ""', |
550862bc | 52 | 'efidebug boot order 2', |
e1174c56 AT |
53 | 'bootefi bootmgr']) |
54 | assert 'Hello, world!' in ''.join(output) | |
55 | ||
56 | def test_efi_signed_image_intca2(self, u_boot_console, efi_boot_env_intca): | |
57 | """ | |
58 | Test Case 2 - authenticated by root CA in db | |
59 | """ | |
60 | u_boot_console.restart_uboot() | |
61 | disk_img = efi_boot_env_intca | |
62 | with u_boot_console.log.section('Test Case 2a'): | |
63 | # Test Case 2a, unsigned and not authenticated by root CA | |
64 | output = u_boot_console.run_command_list([ | |
65 | 'host bind 0 %s' % disk_img, | |
66 | 'fatload host 0:1 4000000 KEK.auth', | |
2b3fbcb5 | 67 | 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', |
e1174c56 | 68 | 'fatload host 0:1 4000000 PK.auth', |
2b3fbcb5 | 69 | 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) |
e1174c56 AT |
70 | assert 'Failed to set EFI variable' not in ''.join(output) |
71 | ||
72 | output = u_boot_console.run_command_list([ | |
ce62b0f8 | 73 | 'efidebug boot add -b 1 HELLO_abc host 0:1 /helloworld.efi.signed_abc -s ""', |
550862bc | 74 | 'efidebug boot order 1', |
e1174c56 AT |
75 | 'efidebug test bootmgr']) |
76 | assert '\'HELLO_abc\' failed' in ''.join(output) | |
566f0673 | 77 | assert 'efi_bootmgr_load() returned: 26' in ''.join(output) |
e1174c56 AT |
78 | |
79 | with u_boot_console.log.section('Test Case 2b'): | |
80 | # Test Case 2b, signed and authenticated by root CA | |
81 | output = u_boot_console.run_command_list([ | |
82 | 'fatload host 0:1 4000000 db_b.auth', | |
2b3fbcb5 | 83 | 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', |
550862bc | 84 | 'efidebug boot order 1', |
e1174c56 AT |
85 | 'efidebug test bootmgr']) |
86 | assert '\'HELLO_abc\' failed' in ''.join(output) | |
566f0673 | 87 | assert 'efi_bootmgr_load() returned: 26' in ''.join(output) |
e1174c56 AT |
88 | |
89 | with u_boot_console.log.section('Test Case 2c'): | |
90 | # Test Case 2c, signed and authenticated by root CA | |
91 | output = u_boot_console.run_command_list([ | |
92 | 'fatload host 0:1 4000000 db_c.auth', | |
2b3fbcb5 | 93 | 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', |
550862bc | 94 | 'efidebug boot order 1', |
e1174c56 AT |
95 | 'efidebug test bootmgr']) |
96 | assert 'Hello, world!' in ''.join(output) | |
97 | ||
98 | def test_efi_signed_image_intca3(self, u_boot_console, efi_boot_env_intca): | |
99 | """ | |
100 | Test Case 3 - revoked by dbx | |
101 | """ | |
102 | u_boot_console.restart_uboot() | |
103 | disk_img = efi_boot_env_intca | |
104 | with u_boot_console.log.section('Test Case 3a'): | |
105 | # Test Case 3a, revoked by int CA in dbx | |
106 | output = u_boot_console.run_command_list([ | |
107 | 'host bind 0 %s' % disk_img, | |
108 | 'fatload host 0:1 4000000 dbx_b.auth', | |
2b3fbcb5 | 109 | 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx', |
e1174c56 | 110 | 'fatload host 0:1 4000000 db_c.auth', |
2b3fbcb5 | 111 | 'setenv -e -nv -bs -rt -at -i 4000000:$filesize db', |
e1174c56 | 112 | 'fatload host 0:1 4000000 KEK.auth', |
2b3fbcb5 | 113 | 'setenv -e -nv -bs -rt -at -i 4000000:$filesize KEK', |
e1174c56 | 114 | 'fatload host 0:1 4000000 PK.auth', |
2b3fbcb5 | 115 | 'setenv -e -nv -bs -rt -at -i 4000000:$filesize PK']) |
e1174c56 AT |
116 | assert 'Failed to set EFI variable' not in ''.join(output) |
117 | ||
118 | output = u_boot_console.run_command_list([ | |
ce62b0f8 | 119 | 'efidebug boot add -b 1 HELLO_abc host 0:1 /helloworld.efi.signed_abc -s ""', |
550862bc | 120 | 'efidebug boot order 1', |
e1174c56 AT |
121 | 'efidebug test bootmgr']) |
122 | assert 'Hello, world!' in ''.join(output) | |
123 | # Or, | |
124 | # assert '\'HELLO_abc\' failed' in ''.join(output) | |
566f0673 | 125 | # assert 'efi_bootmgr_load() returned: 26' in ''.join(output) |
e1174c56 AT |
126 | |
127 | with u_boot_console.log.section('Test Case 3b'): | |
128 | # Test Case 3b, revoked by root CA in dbx | |
129 | output = u_boot_console.run_command_list([ | |
130 | 'fatload host 0:1 4000000 dbx_c.auth', | |
2b3fbcb5 | 131 | 'setenv -e -nv -bs -rt -at -i 4000000:$filesize dbx', |
550862bc | 132 | 'efidebug boot order 1', |
e1174c56 AT |
133 | 'efidebug test bootmgr']) |
134 | assert '\'HELLO_abc\' failed' in ''.join(output) | |
566f0673 | 135 | assert 'efi_bootmgr_load() returned: 26' in ''.join(output) |